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(54) System and method for providing anonymous personalized browsing in a network 


(57) For use with a network having server sites ca- 
pable of being browsed by users based on identifiers 
received into the server sites and personal to the users, 
alternative proxy systems for providing substitute iden- 
tifiers to the server sites that allow the users to browse 
the server sites anonymously via the proxy system. A 
central proxy system includes computer-executable 
routines that process site-specltic substitute identifiers 
constructed from data specific to the users : that trans- 
mits the substitute identifiers to the server sites, that re- 


transmits browsing commands received Irom the users 
to the server sites, and that removes portions of the 
browsing commands that would identity the users to the 
server sites. The foregoing functionality is performed 
consistently by the central proxy system during subse- 
quent visits to a given server site as the same site spe- 
cific substitute identifiers are reused. Consistent use of 
the site specific substitute identifiers enables the server 
site to recognize a returning user and : possibly provide 
personalized service. 
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Description 

TECHNICAL FIELD OF THE INVENTION 

The present invention is directed, in general, to net- 
works and, more specifically, to a system and method 
that allows a user to browse personalized server re- 
sources on a network anonymously. 

BACKGROUND OF THE INVENTION 

The Internet is a well-known collection of networks 
{e.g., public and private data communication and multi- 
media networks) that work together (cooperate) using 
common protocols to form a world wide network of net- 
works. 

In recent years, the availability of more efficient, re- 
liable and cost-effective computers and networking 
tools have allowed many companies and individuals 
(collectively, "users") to become involved in an ever 
growing electronic marketplace. The immeasurable 
gains in technology experienced by the computer indus- 
try overall have allowed these users to rely on commer- 
cially available computers, such as personal computers 
("PCS"), to meet their information processing and com- 
munication needs. To that end, PC manufacturers equip 
most PCS with an interface that may be used for com- 
munication over n etworks, such as the Internet 

The Internet continues to increase its position as an 
integral place for businesses that offers information and 
services to potential customers. Popular examples of 
such businesses are news providers (e.g. t wwwcnn. 
com (the Cable News Network), www.nytimes.com (the 
New York Times), www.wsj.com (the Wall Street Jour- 
nal), www.ft.com (Financial Times Magazine), www. 
businessweek.com (Business Week Magazine)); car 
manufacturers {e.g., www.ford.com/us (the Ford Motor 
Company): www.gm.com (the General Motor Compa- 
ny), www.toyotacom (the Toyota Motor Company)); 
book stores {e.g., www.arnazon.com (Amazon.com 
books)); software providers (e.g., www.microsaft.com 
(the Microsoft software company)) and many more. 

Most often, such a business sets up a home page 
on the World Wide Web (a "web-site, 9 the World wide 
Web is a logical overlay of the Internet). The web-site 
constitutes an electronically-addressable location that 
may be used for promoting, advertising and conducting 
business. Potential electronic customers use web- 
browsers [e.g., NETSCAPE NAVIGATOR®, MICRO- 
SOFT EXPLORER®, etc. ) to access the information of- 
fered on those web-sites. 

An increasing number of web sites offer personal- 
ized services that may include "personalized web pag- 
es" customized to a user's interests, with hyper-links (a 
reference or link from some point in one hypertext doc- 
ument to some point in another document or another 
place in the same document - often displayed in some 
distinguishing way (e.g. : in a different color, font or 
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style)) and displayed messages tailored according to 
the user's preferences. Such preferences can be ascer- 
tained by having a user establish an account with that 
web-site. This allows the web-site to store information 
5 about the user's previous visits, either by tracking the 
hyper-links the user followed or through explicit dialogs 
with the user. For example, the Wall Street Journal pro- 
vides a "personalized journal" to each user, where the 
sequence and selection of sections is customized. In or- 
der to open an account: the user typically has to com- 
plete a form electronically, providing a user name, a 
password, an electronic-mail ("e-mail") address, etc. 
The latter is often used by the web-site to send back 
information not provided on the web-site itself to the us- 
er. 

Given the inherent lack of privacy of electronic com- 
munication over the Internet generally, and. particularly, 
the World Wide Web, it has long been felt that a system 
that could ensure private electronic communication 
would be highly advantageous. As an example of the 
problem, consider the plight of a customer that would 
like to browse the World Wide Web in a safe and private 
(anonymous) manner, visiting sites that provide person- 
alized service. The customer would like to establish ac- 
counts on web-sites without revealing his true identity, 
and without reusing the same user names, passwords, 
for multiple sites. Customers should refrain from reusing 
the same user names and passwords at multiple sites 
to avoid a security breach at one site to affect other sites; 
additionally, refraining from using such user names and 
passwords limits the ability of multiple sites from collud- 
ing to combine customer information and build dossiers 
on particular customers. 

Typically, the customer visits many of these web- 
sites, and inventing and remembering new user names 
and passwords for each web-site becomes tedious. 
Moreover, many of these web-sites require the custom- 
er to include his e-mail address with his user name and 
password - by providing his e-mail address, the cus- 
tomer reveals his identity. 

In addition, there are commercial products available 
that allow web-sites to track their clients and visitors. 
Such tracking can be made even when no voluntary in- 
formation is provided by the user and no form is filled 
out. Examples ol such systems are "Webreporter," 
which is available from OPENMARKET, INC., and 
"SiteTrack,'* which is available from GROUP CORTEX, 
whose advertisement reads as follows: 

"Identify who is visiting your site. Record the actual 
number of people that visit. Find which links they lollow 
and trace their complete path. Learn which site users 
came from and which site they depart to..." 
These products are made possible because the hyper- 
text transport protocol ("HTTP-protocol"), on which the 
World Wide Web is largely based, allows specific infor- 
mation to flow back from the user to the web-site. This 
can include for example, the user's e-mail address, the 
last web-site he came from, and information about the 
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user's software and host-computer. Other pert'nent user 
information may be sent by the web-site to the user 
browser using what are commonly referred to as ■cook- 
ies' (pieces of information that web-sites may store at 
the user's browser). On subsequent visits to the web- s 
site, the user's browser sends back information to the 
web-site without the user's knowledge. 

From the foregoing, it is apparent that what is need- 
ed in the art is a scheme that provides anonymous per- 
sonalized web browsing that satisfies two seemingly 
conflicting objectives, namely, providing user privacy 
and user identification. 

SUMMARY OF THE INVENTION 

To address the above-discussed deficiencies of the 
prior art, the present invention introduces a proxy sys- 
tem that performs two basic functions: (1) automatic 
substitution of user-specific identifiers such that server 
sites {e.g., web sites, junction points, intelligent portal 
devices, routers, network servers, etc.) within a network 
are prevented from determining the true identity of the 
user browsing (accessing, locating, retrieving, reading, 
contacting, etc.) the sites; and (2) automatic stripping of 
any other information associated with browsing com- 
mands that would allow the server sites to determine the 
true identity of the user browsing the server sites. An 
important aspect of the present invention is that the fore- 
going functions are performed consistently by the proxy 
system during subsequent visits to the server site (the 
same substitute identifiers are used on repeat visits to 
the server site; the server site also cannot distinguish 
between information supplied by the userandthe proxy 
system, thus the proxy system is transparent to the serv- 
er site). The present invention therefore not only intro- 
duces anonymous browsing, but also personalization 
based upon the consistent use of substitute identifiers. 

It should be noted tharthe term "true, " as used here- 
in, means accurate, actual, authentic, at least partially 
correct, genuine, real or the like, the term 'or," as used 
herein, is inclusive : meaning and/or; and the phrase "as- 
sociated with" and derivatives thereof, as used herein, 
may mean to include within, interconnect with, contain, 
be contained within, connect to or with : couple to or with, 
be communicable with, juxtapose, cooperate with, inter- 
leave, be a property of, be bound to or with, have, have 
a property of, or the like. 

As is described in greater detail hereinbelow, the 
principles of the present invention address the conflict- 
ing objectives of user privacy and user identificatbn de- 
scribed hereinabove by providing a proxy system, a pe- 
ripheral proxy system, and a method of providing sub- 
stitute identifiers to a server site that allow users to 
browse the same anonymously via the proxy system. 

In one embodiment, the present invention provides, 
for use with a network having server sites capable of 
being browsed by users based on identifiers received 
into the server sites and personal to the users, a central 
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proxy system for providing substitute identifiers to the 
server sites that allow the users to browse the server 
sites anonymously via the central proxy system. Accord- 
ing to various embodiments of the present invention, the 
substitute identifiers may be suitably constructed by the 
user site or a routine associated with the central site (ad- 
vantageous ways (functbns) of constructing the substi- 
tute identifiers are described hereinafter). The exempla- 
ry central proxy system includes: (1) a computer-exe- 
cutable first routine that processes (receives, accepts, 
obtains, constructs, produces, etc.) site-specific substi- 
tute identifiers constructed from data specific to the us- 
ers, (2) a computer-executable second routine that 
transmits the substitute identifiers to the server sites and 
thereafter retransmits browsing commands received 
from the users to the server sites and (3) a computer- 
executable third routine that removes (and possibly sub- 
stitutes) portions of the browsing commands that would 
identify the users to the server sites. "Include" and de- 
rivatives thereof, as used herein, means inclusion with- 
out limitation. 

In one embodiment the first of the two above-enu- 
merated basic functions is performed external to the 
central proxy system, while in another it is performed, 
at least in part, within the central proxy system. The cen- 
tral proxy system processes and forwards the substitute 
identifiers as appropriate and directly performs the sec- 
ond of the above-enumerated basic lunctions by strip- 
ping other information that would tend to identify the us- 
ers. An Internet Access Provider ("ISP"), such as NET- 
COM®, or a networking service, such as AMERICA ON- 
LINE® or COMPUSERVE® can advantageously em- 
ploy the central proxy system to provide anonymous re- 
transmission of browsing commands by their users. 

It is important to understand that subsequent use of 
the proxy system by a "same" user to a "same" server 
site will cause the proxy system to construct (directly or 
indirectly) and use the same (site-specific) substitute 
identifiers. Typically, the proxy system functions as a 
conduit communicating messages between the user 
and the server. Depending upon the embodiment, the 
proxy system may remove or substitute some portion of 
messages communicated by the user to the server to 
ensure anonymity. 

An alternative advantageous embodiment of the 
present invention may be provided in the form of a pe- 
ripheral proxy system designed for use with a network 
having a server site capable of being browsed by users 
based on identifiers received into the server site and 
personal to the users. The peripheral proxy system in- 
cludes: (1 ) a computer-executable first rouline that con- 
structs a particular substitute identifier from data re- 
ceived from a particular user and (2) a computer-exe- 
cutable second routine that transmits the particular sub- 
stitute identifier to the central proxy system, the central 
proxy system retransmitting the particular substitute 
identifier to the server site and thereafter retransmitting 
browsing commands received from the particular user 
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to the server site. According to this embodiment, the first 
routine may be associated, at least in part, with the user 
site, which distributes the basic tunctions of the present 
invention over multiple computer systems. 

The foregoing has outlined, rather broadly, pre- 
ferred and alternative features of the present invention 
so that those skilled in the art may better understand the 
detailed description of the invention that follows. Addi- 
tional features of the invention will be described herein- 
after that form the subject of the claims of the invention. 
Those skilled in the art should appreciate thai they can 
readily use the disclosed conception and specific em- 
bodiment as a basis for designing or modifying other 
structures for carrying out the same purposes of the 
present invention. 

BRIEF DESCRIPTION OF THE DRAWINGS 

For a more complete understanding of the present 
invention, reference is now made to the following de- 
scriptions taken in conjunction with the accompanying 
drawings, wherein like numbers designate like objects, 
and in which: 

FIGURE 1 illustrates a high-level block diagram of 
an exemplary distributed network with which the 
principles of the present invention may be suitably 
used to provide either a central or a peripheral proxy 
system for allowing users to provide substitute iden- 
tifiers to server sites of a network to browse anon- 
ymously; 

FIGURE 2 illustrates a block diagram of an exem- 
plary sub-network of the distributed network of FIG- 
URE 1 showing a central proxy system that includes 
each of a user site, a central proxy system and a 
plurality of illustrative server sites according to the 
principles ot the present invention; 
FIGURE 3 illustrates an exemplary full screen win- 
dow of a proxy system according to the principles 
of the present invention; 

FIGURE 4 illustrates an exemplary full screen win- 
dow of an interface of a particular server site ac- 
cording to the principles of the present invention; 
FIGURE 5 illustrates a block diagram of an exem- 
plary sub-network of the distributed network of FIG- 
URE 1 showing a peripheral proxy system that in- 
cludes each of a user site, a central proxy system 
and a plurality of illustrative server site according to 
the principles of the present inventbn; and 
FIGURE 6 illustrates a block diagram of an exem- 
plary sub-network of the distributed network of FIG- 
URE 1 including each of a user site, a central proxy 
system and a plurality of illustrative server sites ac- 
cording to an exemplary marker proxy embodiment 
of the present invention. 
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DETAILED DESCRIPTION 

Referring initially to FIGURE 1 : illustrated is a high- 
level block diagram of an exemplary distributed network 
5 (generally designated 100) with which the principles of 
the present invention may be suitably used to provide 
either a central or a peripheral proxy system. Distributed 
network 100 illustratively includes a plurality of compu- 
ter sites 105 to 110 that are illustratively associated by 
10 Internet 115. Internet 115 includes the Worldwide Web : 
which is not a network itself, but rather an "abstraction' 
maintained on top of Internet 115 by a combination of 
browsers, server sites ; HTML pages and the like. 

According to the illustrated embodiment, either 
is proxy system provides substitute identifiers to one or 
more ol a plurality of server sites 110 of network 100. 
The substitute identifiers allow user sites (and. hence, 
users (not shown)) to browse the server sites anony- 
mously via the proxy system. Consistent use of the 
20 same (site-specific) substitute identifiers at a particular 
server site personalizes browsing. For purposes of illus- 
tration, site 105a is assumed throughout this document 
to be a user site, site 110a is assumed to be a central 
proxy site, and site 110g is assumed to be a server site. 
2 s Those of skill in the pertinent art will understand that 
FIGURE 1 is illustrative only in other configurations, any 
ol sites 105 to 110 may be a user, a central proxy or a 
server site, or a combination of at least two of the same. 
"Server site, 0 as the term is used herein, is construed 
30 broadly, and may include any site capable of being 
browsed. 

Although the illustrated embodiment is suitably im- 
plemented for and used over Internet 11 5, the principles 
and broad scope of the present invention may be asso- 
3S ciated with any appropriately arranged computer, com- 
munications, multimedia or other network, whether 
wired or wireless, that has server sites capable of being 
browsed by users based on identifiers received into the 
server sites and that are personal to the users. Further, 
<o though the principles of the present invention are illus- 
trated using a single user site 105a, a single central 
proxy site 110a and a single server site 110g, alternate 
embodiments within the scope of the same may include 
a plurality of user, central proxy or server sites. 
4& Exemplary network 1 00 is assumed to include a plu- 
rality of insecure communication channels that operate 
to intercouple ones of the various sites 105 to 110 of 
network 100. The concept of communication channels 
is known and allows insecure communication of infor- 
50 rnation among ones of the intercoupled sites {the Inter- 
net employs conventional communication protocols that 
are also known). A distributed network operating system 
executes on at least some of sites 105, 110 and may 
manage the insecure communication of information 
55 therebetween. Distributed network operating systems 
are also known. 

According to exemplary central proxy system 110a 
ot the present invention, which is discussed in detail with 
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reference to FIGURE 2. substitute identifiers may be 
suitably indirectly provided by central proxy system 
110a to server site 110g (recall that substitute identifiers 
allow user site 105a to browse server site 110g anony- 
mously). One or more site-specific substitute identifiers £ 
are suitably provided or constructed from data specific 
to user 1 05a either by user 1 05a or central proxy system 
110a. Central proxy system 110a includes a plurality of 
executable routines - a first routine processes site-spe- 
cific substitute identifiers constructed from data specific 
to user 105a (site-specific substitute identifiers may be 
suitably constructed by a central proxy site 11 0a, such 
as by a rouline associated with central proxy system 
110a); a second routine transmits the substitute identi- 
fiers to server site 11 Og (possibly via a plurality of inter- 
mediate user and server sites 105, 110) and thereafter 
retransmits browsing commands received from user site 
105a to server site 110g; and a third routine removes 
(and possibly substitutes) portions of the browsing com- 
mands that would identify user site 105a to server site 
110g (and the plurality of intermediate user and server 
sites 105 : 110). The term ■routine," as used herein, is 
construed broadly to not only include conventional 
meanings such as program, procedure, object, task, 
subroutine function, algorithm, instruction set and the 
like, but also sequences of instructions, as well as func- 
tionally equivalent firmware and hardware implementa- 
tions. 

Alternatively, according to an exemplary peripheral 
proxy system (generally designated 120) of the present 
invention, which is discussed in detail with reference to 
FIGURE 5, that is designed for use with network 100 
again having a server site 110g capable of being 
browsed by a user site 105a based on substitute iden- 
tifiers received into server site 110g and that are per- 
sonal to user site 105a. Exemplary peripheral proxy sys- 
tem 120 Includes first and second executable routines. 
The first routine, which may advantageously reside in 
user site 105a or, alternatively, in central proxy system 
110a, constructs a particular substitute identifier from 
data particular to user site 105a. The second routine, 
which may also advantageously reside in user site 105a 
or, partially, in user site 105a and central proxy system 
110a ; transmits the particular substitute identifier to cen- 
tral proxy system 110a. Central proxy system 110a then 
retransmits the particular substitute identifier to server 
site 110g and thereafter communicates (e.g., transmits, 
receives, etc.) information (e.g., browsing commands, 
data, etc.) between user site 105a to server site 110g. 

According to the illustrated embodiment, peripheral 
proxy system 1 20 differs from central proxy system 1 1 0a 
by the location of execution of the first and second rou- 
tines. In the illustrated central proxy embodiment, ail 
routines are executed by central proxy system 110a, 
which means that all users must send user specific in- 
formation to central proxy system 110a. In the illustrated 
peripheral proxy system 120, the first and second rou- 
tines may be executed in a proxy subsystem associated 


with user site 105a. In one advantageous embodiment, 
user system 105a's user specific information (e.g., user 
identification, passwords, e-mail addresses : telephone 
numbers, credit card numbers, postal address : etc.) re- 
main local, which will typically be more secure than cen- 
tral proxy system 110a 

As set forth hereinabove, an ISP, such as NET- 
COM®, or a networking service, such as AMERICA ON- 
LINE® or COMPUSERVE®, can advantageously em- 
ploy either exemplary proxy system (central or periph- 
eral) to provide anonymous communication (transmis- 
sion, reception, retransmission, etc) of browsing (e.g., 
accessing, selection, reading, etc.) commands between 
user sites and server sites. 

An important aspect of the above-identified embod- 
iments is the use of site-specific substitute identifiers to 
eliminate the need lor a user to have to "invent" a new 
user name and password for each server site which re- 
quires the establishment of an account (e.g., the NEW 
YORK TIMES, the WALL STREET JOURNAL, the 
NEWS PAGE® and ESPN® sites). The illustrated em- 
bodiment generates secure substitute identifiers (e.p., 
alias user names, passwords, e-mail addresses, postal 
addresses, credit card numbers, etc.) that are distinct 
and secure for the user. The user provides one or more 
character strings (which may be random) once, which 
may advantageously be at the beginning of a proxy sys- 
tem session. The proxy system uses the same to gen- 
erate one or more secure site-specific substitute identi- 
fiers forthe user thereby freeing the user from the bur- 
den of inventing new and unique identifiers for each 
server site. Moreover, the user no longer has to type 
such secure identifiers every time the user returns to a 
particular server site requiring an account; instead the 
proxy system provides the appropriate secure identifiers 
automatically. In an advantageous embodiment to be 
. described, the proxy system filters other identifying in- 
formation (e.g., HTTP headers, etc.) sent by user site 
1 05a while browsing server sites. It is important to keep 
in mind that server sites cannot typically distinguish be- 
tween information supplied by proxy system 110a and 
information supplied by user site 105a - central proxy 
system 110a being transparent to carver sites. 

In one embodiment, the substitute identifiers are 
transmitted on demand from servers, without any inter- 
vention from the user. This process automates the re- 
sponse to a "basic authentication request," which is a 
common procedure used by servers to identify users on 
the World Wide Web. In this way, the user is not bur- 
dened by this activity. 

According to the illustrated embodiment, to produce 
substitute identifiers the proxy system may suitably 
maintain secret information (secret to at least one serv- 
er-site) in the form ol user definable character strings. 
These character strings may be user defined and may 
be maintained In some conventional manner, such as 
storing the same to memory associated with the proxy 
system, or, advantageously, a function (described here- 
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inafter) may be used to produce the substitute identifi- 
ers, at least in part, in association with the secret infor- 
mation. According to one approach, the proxy system 
maintains a conventional data structure to maintain the 
same, such as a database, data repository, an array, 
etc., or even an alias table, that may be used to map 
user information to their substitute, or alias, identifiers. 

According to one advantageous embodiment, the 
user delivers its own secret (user definable character 
string) at the beginning of each session, which is used 
by the proxy system to generate, directly or indirectly, 
the substitute identifiers for the session. This option has 
the advantage that a user has the flexibility to choose 
dilferent proxies at different times and there is no per- 
manent secret information stored on the proxy system. 
In another related embodiment, the data comprises at 
least two secret user definable character strings, where- 
in the first routine processes substitute identifiers con- 
structed in part from the at least two secret user defin- 
able character strings. Of course, alternate suitable ap- 
proaches may be used to accomplish the purpose of 
providing anonymous personalized web browsing ac- 
cording to the present invention. 

Turning now to FIGURE 2, illustrated is a block di- 
agram of an exemplary sub-network (generally desig- 
nated 200) of distributed network 1 00, wherein sub-net- 
work 200 includes user site 105a, central proxy system 
110a and server site 11 Og (shown among a plurality of 
other illustrative 6erver sites 11 Oof Internet 11 5) accord- 
ing to the principles of the present invention. 

For purposes of illustrat ion, assume that user site 
1 05a issues a command to access server site 1 1 0g (the 
NEW YORK TRIBUNE web-site ("NYT")). Such access 
would be via central proxy system (server site) 110a, 
which ensures that user specific data concerning user 
site 105a is not communicated over the remainder of 
Internet 115 -there maybe HTTP header fields, for ex- 
ample, that include data about user site 105a that cen- 
tral proxy system 110a filters. 

Exemplary central proxy system 110a advanta- 
geously executes on a server site that is not associable 
with user site 105a by other sites over Internet 115. Ac- 
cording to an advantageous embodiment, central proxy 
system 110a may be suitably distant, both physically 
and logically, from user site 105a — user site 105a does 
not access server-sites directly because the server- 
sites can determine both physically and logically the In- 
ternet Protocol ("IP") - address of the machine that 
made the request. 

According to the exemplary embodiment if user site 
105a's command to access NYT110g is user site I05a's 
first request of the current session, central proxy system 
110a will recognize the same, and display its own 
HTML-document, possibly on user site 105a's browser. 

Turning momentarily to FIGURE 3. illustrated is an 
exemplary full screen window of a conventional browser 
300 ("NETSCAPE©') displaying an inlaid interface 305 
("JANU5 SM ") of central proxy system 1 10a according to 


the principles of the present ffivention. Exemplary inter- 
face 305 prompts a user of site 105a to enter user de- 
finable character strings, which according to the illus- 
trated embodiment includes identification ( n ID°) data 
s and secret ("S") data supplied by the user. Each user 
initially supplies a user ID (e.g., e-mail address) and a 
user S to allow one or more substitute identifiers to be 
chosen or constructed (site-specific substitute identifi- 
ers are suitably constructed from data specific to user 
105a and a particular server site which user 105a in- 
tends to browse). Alternatively, other or furtherdata sup- 
plied by the user may be appropriate in some applica- 
tions (e.g. , credit card number, post office address, han- 
dle, etc.). 

According to the advantageous embodiment, sub- 
stitute identifiers may be constructed (generated) using 
asuitable function that includes the features ol anonym- 
ity, consistency, collision resistance and uniqueness, 
protection from creation of dossiers, and single secret 
and acceptability Concerning anonymity, the identity of 
the user should be kept secret; that is, a server site, or 
a coalition of sites, cannot determine the true identity of 
the user from its substitute identification. Concerning 
consistency, for each server-site, each user should be 
provided with some substitute identifiers allowing the 
server site to recognize the user given the same, there- 
by enabling the server site to personalize the user's ac- 
cess and the user can thus be "registered" at the server 
site. 

With respect to collision resistance and unique- 
ness; given a user's identity and a server siie : a third 
party should not find a different user identity which re- 
sults in the same alias (impersonation) for that server 
site. As to protection from creation of dossiers, the user 
is like V to be assigned a distinct alias (substitute iden- 
tifier) for distinct server sites, so that a coalition of sites 
is unable to learn a user's habits and build a user profile 
(dossier) based on the set of sites accessed by the user. 
Lastly, single secret (user definable character string) 
and acceptability provides, given the user's identity and 
a single secret, automatic generation of secure, distinct 
aliases (substitute identifier) as needed for each server- 
site, transparent to the user - from the user's perspec- 
tive, the user definable character string is equivalent to 
a universal password for a collection of server-sites. 

According to this embodiment, a user ID is "corrupt" 
(not secret) if an adversary (one or more server sites 
desirous of identifying the user), E. has been able to 
read the user's secret, S. Alternatively, a user ID is "par- 
tially opened" (not fully secure) with respect to a partic- 
ular server she, w, if E has been able to read the alias 
password: a user ID is "opened" (not secure) with re- 
spect to w, if it is partially opened and E has been able 
to relate the alias password together with the alias user 
name to the user ID. Assuming that the f unctbn, T(). is 
defined as follows, TJuser ID, web-site ("iV). S) = ( sub- 
stitute username, passwords,), hence, T(id, w,S} = (Uw, 
Pw); and Tu(ict,w,S)= LAvand Tp(id,w,S) = Pw. 


15 


20 


25 


30 


35 


40 


45 


50 


6 


11 


EP 0 855 659 A1 


12 


Tu (id, w. S) = Uw= h(enc(k,id, f(s v w))) 

and 

Tppd,w,S) = Pw= h(eno(k,'td, f(s 2 ,w))) f 

wherein 

id denotes user site 105a's ID (e.g., e-mail 

address); 

w denotes server site 110gfs domain 

name; 

// denotes the logical function of concate- 

nation; 

S denotes k/Zs^/s^ a user site 1 05a defin- 

able character string; 

xor denotes the Boolean function of exclu- 

sive or x 

f(k,x) denotes a suitably arranged function for 

generating pseudo-random values, and 
may be selected from a group of func- 
tions, such as des(k,h(x),x); 

enc(kxr) denotes r//(f(kj)xorx); 

h() denotes a collision -resistant hash func- 

tion, such as MD5; and 

des(k,i,x) denotes DES encryption in cipher block 
chaining ("CBC") mode, which are 
known, o1 information x using key /rand 
an initialization vector i 
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30 


Both Tu() and Tp§ may suitably truncate the result of 
the hashing function, h(), io fit the longest allowed user 
name or password for the particular server site. 35 

Relating this function, T(), to the above- identified 
and described features yields the following: 

1. Ecan only guess at the identity, ID, of a user 
which is only partially opened and uncorrupted. 40 

2. TQ is a deterministic function and E can only 
guess at the alias-password of a user which is un- 
opened and uncorrupted 

3. Given wand an uncorrupted and unopened user 

ID, E can only guess at the ID and S. 45 

4. For an uncorrupted user ID and w T T(id,w,S) does 
not give to E information about T(id,w',S) for any w' 
not equal to w. 

5. The range of T('ri,w,S) is such thai it is accepted 

by server sites as a valid username and password so 
- implying a limited length string ol printable char- 
acters. 

Those skilled in the pertinent art will understand that al- 
ternate suitable functions may replace or be used in as- ss 
soclatlon with the foregoing according to the principles 
of the present Invention. 

Use ol the loregoing exemplary substitute identifier 


constructing function, and for that matter, any other suit- 
ably arranged function for constructing substitute iden- 
tifiers according to the present invention, operates to 
foster the above-identified features of anonymyzed and 
personalized browsing. The present invention provides 
the ability to anonymously visit a server site a first time 
via site-specific substitute identifiers, to interact with the 
server site as a function thereof, and to re-visil the serv- 
er site on subsequent occasions using the same site- 
specific substitute identifiers, interacting with the server 
site as a return customer - possibly receiving person- 
alized attention - as a lunctbn of the recognized sub- 
stitute identifiers. Simply stated, the substitute identifi- 
ers are constructed consistently, and in advantageous 
embodiments in a site-specific manner. 

In one embodiment of the present invention, the 
substitute identifiers include site-specific substitute user 
names and site-specific substitute user passwords. 
"Site-specific" means that the names and passwords 
vary from site to site, depending perhaps upon the ad- 
dress of each site. This may complicate the task of cre- 
ating a dossier relative to a given user. In a related em- 
bodiment, the first routine constructs site-specific sub- 
stitute e-mail addresses for user site 1 05a from the site- 
specific data. In an alternate advantageous embodi- 
ment, the first routine constructs the site-specific sub- 
stitute identifiers from addresses of the server sites - of 
course, site-specific information other than the address 
of the site may be used to construct the substitute iden- 
tifiers. 

If this is the first contact of the user with central 
proxy system 110a, then the user may suitably generate 
a user defined character string (secret) at random and 
store the same locally. In one advantageous embodi- 
ment, the first routine processes substitute identifiers 
that may be constructed by applying pseudo-random 
and hash functions {e.g., T() lunctbn set forth herein- 
above) to the data received from user site 1 05a - those 
skilled in the art are familiar with the structure and op- 
eration ol pseudo-random and hash functions and their 
utility. The important aspect of this and related embod- 
iments is that the present inventbn is adapted to take 
advantage of current and later-discovered functions to 
enhance anonymity and security. 

Alternatively, if this is the first contact of a current 
session then the user may suitably enclose the stored 
user defined character string to central proxy system 
110a. Nonetheless, browser 300 sends interface 305 to- 
gether with a user's ID and other user definable charac- 
ter string to central proxy system 110a. Central proxy 
system 1 1 0a receives this information and may use the 
same for the rest of the session. 

In one advantageous embodiment, the first routine 
receives or generates session tags that are added to the 
browsing commands, central proxy site 11 0a employing 
the sessbn tags to associate the substitute identifiers 
with each of the browsing commands -- the session 
tags, while not necessary to the present invention, pro- 


7 


13 


EP 0 855 659 A1 


14 


vide oris manner that allows user sites 105a to supply 
their data only once, usually at the beginning of each 
session. In a related advantageous embodiment, cen- 
tral proxy site 110a includes a data store that is capable 
ol containing session information specific to user sites 
105a and accessible by server sites 11 Og. 

In one advantageous embodiment, the second rou- 
tine described above, which may be local to the central 
proxy system 110a, transmits the substitute identifiers 
to 6erversite 110g. In a further advantageous embodi- 
ment, the second routine transmits the substitute iden- 
tifiers to server site 1 10g based on alphanumeric codes 
supplied in fields of web-pages 305 by the users. The 
alphanumeric codes prompt the second routine as to 
how and where to locate the substitute identifiers, re- 
movhg the users from actually having to provide the 
substitute identifiers directly. Of course, the alphanu- 
meric codes may be supplied in a different form. In a 
related, more specific embodiment: the users manually 
place the alphanumeric codes in the fields of web-pages 
305. Of course, the present invention encompasses in- 
telligent parsing of the fields o1 web pages 305 to deter- 
mine automatically how and where the alphanumeric 
codes should be located. Those skilled in the art are fa- 
miliar with the Internet in general: the World Wide Web 
in particular and the way in which the structure of the 
World Wide Web promotes "browsing." The present in- 
vention finds apparent utility in conjunction with the In- 
ternet and the World Wide Web, however, those skilled 
in the art will readily understand that the present inven- 
tion has advantageous application outside of the Inter- 
net as well in any suitably arranged computer, commu- 
nications, multimedia or like network configuration. 

Nonetheless, after central proxy system 110a ob- 
tains the required information about the user, the above- 
described third routine removes portions of the browsing 
commands that would identify user site 105a to server 
site 11 0g, and forwards user site 1 05a's original request 
for access to NYT-site 11 Og (e.g., using an HTTP get- 
request) - thereby selectively excluding from the re- 
quest header-fields or the like that may identity the user. 

If this is the user's first visit to NYT-site 110g, then 
it may suitably provide the user with an electronic form 
prompting, for example, for a user name, a password 
and an e-mail address in order to establish an account. 
Turning momentarily to FIGURE 4, illustrated is exem- 
plary full screen window of conventional NETSCAPE® 
browser 300 displaying an inlaid interface 400 ('THE 
NEW YORK TRIBUNE") of server site 110g according 
to the principles ol the present invention. 

Now, instead of having to provide a unique user 
name and a secret password, the user may suitably pro- 
vide these fields with simple escape strings (e.g., "<uu- 
uu>"and"<pppp>°). Morespecifically, the alphanumeric 
codes above-described may be suitably arranged into 
such escape sequences - those skilled in the art are 
familiar with escape sequences. These strings are rec- 
ognized by central proxy site 110a which uses user site 


105a's user name and secrel (user definable character 
string) along with the domain-name of the NEW YORK 
TRIBUNE and computes substitute identifiers (e.g., ali- 
as user name, u3, and alias password, p3. in FIGURE 
£ 2, etc.), such as by function T(iD, secret, domain-name). 
The site-specific substitute identifiers may be sent to a 
particular server site by central proxy system 11 Oa using 
the same mechanism that the user would submit input 
to the particular server site. In other words, proxy system 
110a receives information communications, such as 
browsing commands, Irom user site 105a intended for 
server site 11 0g, and retransmits the same to server site 
1 1 0g - central proxy system 11 0a functioning as a trans- 
parent conduit for anonym izing and, through consistent 
generation of site-specific substitute identifiers, person- 
alizing server site browsing. 

On a subsequent visit to NYT-site 110g, which will 
require that user site 1 05a authenticate itself (response 
to the first get-request forwarded lo NYT-sile I10g by 
central proxy system 110a). central proxy system 110a 
may be suitably operative to automatically recompute 
u3 and p3 and reply by sending these values back to 
NYT-site 11 Og (re-sending the get-request). User site 
105a is thereby freed from the burden of remembering 
the user name and password of its NYT-site 110g ac- 
count. To summarize, the protocol, which may be suita- 
bly executed without involving user site 105a, includes: 
(1 ) a step of NYT-site server 1 10g requesting an authen- 
tication from central proxy site 110a by failing the first 
get request; (2) central proxy site 11 Oa recomputing the 
substitute identifiers (e.g., (alias-user name, alias-pass- 
word) = T(ID, secret, domain-name), or the like); (3)cen- 
tral proxy site 110a replying by re-sending the get with 
the same substitute identifiers. 

The substitute identifiers are consistent in the sense 
that the substitute identifiers are presented on subse- 
quent visits to the same server site by user 105a. Con- 
sistent substitute identifiers allow server sites to recog- 
nize returning users and provide personalized service 
to them. In one embodiment, the second routine trans- 
mits the substitute identifiers on demand from servers, 
without any intervention from user 105a. This process 
automates the response to a "basic authentication re- 
quest," which is a common procedure used by servers 
to identify users 105a on the World Wide Web. in this 
way, user 105a is not burdened by this activity. In this 
embodiment, the second routine may have to re-trans- 
mit the original user request along with the substitute 
identifier to the server. 

It should be noted that many servers require a valid 
e-mail address for creating an account - users cannot 
use their true e-mail address for this purpose since it 
uniquely identifies them. The proxy system of the 
present invention may suitably solve this problem by 
creating an alias e-mail address for user site 105a and 
store e-mail In an electronic mailbox. In one advanta- 
geous embodiment, central proxy system 11 0a includes 
a data store capable of containing e-mail destined for 
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the users, thereby preventing server sites from contact- 
ing users directly. Contrary to prior art anonymous re- 
mailers, the present embodiment is not required to rely 
on having to store any translation tables (which may be 
large and vulnerable) from alias to true user identifiers 
in central proxy system 110a. This embodiment is inher- 
ently securer than prior art approaches as central proxy 
system 110a is not required to maintain and protect a 
translation table and cannot be forced to reveal the con- 
tents of any such table to a third party. 

In an alternate advantageous embodiment, central 
proxy system 1 05a further includes a data store capabl e 
of containing e-mailboxes for the users and specific to 
the server sites . According to th is embodiment, each us- 
er has a mailbox for each site that has generated mail 
destined for the user. Rather than compromising secu- 
rity by allowing automatic remailing to the user, the 
present embodiment may store e-mail for explicit re- 
trieval by each user. 

For each server, it may be advantageous for users 
to have a separate e-mail box. possibly identified by us- 
er-substitute identifiers. This approach may allow for 
suitable disposal of e-mail messages received from the 
third-parties (e.g., "junk e-mail') as well as the option of 
selective disposal of e-mail messages. 

In one advantageous embodiment, each of e-mail- 
boxes has a key associated therewith, the key being a 
function of the data and an index number. The use of 
keys with e-mailboxes is known. In another advanta- 
geous embodiment, central proxy system 110a further 
comprises a computer-executable routine that, given 
the substitute identifiers, collects e-mail destined for the 
users and contained within a plurality of sile-specific e- 
mailboxes. This embodiment may suitably employ a 
mail-collecting routine that automatically locates user 
site lOSa's various mailboxes and retrieves the mail 
therefrom once the user has supplied the appropriate 
data. 

According to one advantageous embodiment, cen- 
tral proxy system 110a includes functionality necessary 
to support electronic payment, the users employ elec- 
tronic payment information to engage in anonymous 
commerce with the server sites. To facilitate the same, 
central proxy system 1 1 0a may include a data store ca- 
pable of containing such electronic payment informa- 
tion. Further 5 substitute identifiers may be constructed, 
at least in part, using credit/debit card numbers, bank 
branch or account numbers, postal addresses, tele- 
phone numbers, tax identification numbers, social se- 
curity numbers or the like. Various methods for achiev- 
ing anonymous commerce are known. 

By way of further example, an ever increasing 
number of sites require a valid credit card number as 
part of establishing an account, so that such sites may 
charge the user for their services (e.g., WALL STREET 
JOURNAL®, ESPN®, etc.). While the above -described 
proxy system provides substitute identifiers to free users 
from remembering these items and by providing a guard 


on (involuntary) data flowing to the web-site, it may not 
provide complete anonymity to a user who has provided 
a credit card number to a site. One solution, described 
briefly above, requires central proxy system 110a to pro- 
s vide its own valid credit card number to the requesting 
site and then collect money from its users. If central 
proxy system 105a is incorporated into an Internet pro- 
vider, for example, such as AMERICA ONLINE®, then 
this relationship may already exist. 

Alternatively: central proxy system 110a may be 
known and trusted by other sites, thereby allowing cen- 
tral proxy system 1 10a to generate an alias credit card 
number and expiralion date, and then to authenticate 
this data and send it to a requesting site. The site can 
then check that this number indeed originates from cen- 
tral proxy system 1 1 0a and hence accepts the same as 
valid, with the understanding that it can collect the mon- 
ey from central proxy system 110a There no longer is 
a need to send a "real" credit card number between cen- 
tral proxy system 1 10a and the sites. 

It is important to realize that the various features 
and aspects of the embodiments above-described may 
also be suitably implemented in accordance with the pe- 
ripheral proxy system described with reference to FIG- 
URE 1. More particularly turning momentarily to FIG- 
URE 5, there is illustrated a block diagram of an exem- 
plary sub-network (generally designated 500) olthe dis- 
tributed network of FIGURE 1 showing a peripheral 
proxy system 120 that includes each of user site 105a, 
central proxy system 110a and NYT-site 110g (shown 
among a plurality of other illustrative server sites 110 of 
Internet 115) according to the principles of the present 
invention. 

Peripheral proxy system 120, as set forth above, in- 
cludes first and second executable routines. The first 
routine, which advantageously resides in user site 1 05a, 
constructs substitute identifiers from data particular to 
user site 105a. The second routine, which also illustra- 
tively resides in user site 105a, transmits the substitute 
identifiers to central proxy system 110a. Central proxy 
system 110a then retransmits the substitute identifiers 
to server site 110g and thereafter communicates (e.g., 
transmits, receives, etc.) information (e.g. t browsing 
commands: data, etc.) between user site 1 05a to server 
site 110g. This second configuration is particularly ad- 
vantageous when users may not trust central proxy sys- 
tem 110a orthe communication lines therebetween, and 
want to keep user identifications and other secret infor- 
mation secure. 

A local proxy system 51 0 may be used to maintain 
the same, and may use the user's identification and oth- 
er information to compute the substitute identifiers. Lo- 
cal proxy system 51 0 communicates with a central proxy 
system 110a, which may be used to forward communi- 
cation to servers and handle e-mail. I n one embodiment, 
central proxy system 110a communicates with compu- 
ter-executable local routines associated with the users, 
the local routines constructing the site-specific substi- 
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tute identifiers from data specific to the users. Again, 
central proxy system 110a may rely on distributed rou- 
tines, locaJ to each user that generate the substitute 
identifiers and transmit the same to central proxy system 
110a 

Turning now to FIGURE 6, illustrated is a block di- 
agram of an exemplary sub-network (generally desig- 
nated 600) of the distributed network 100 including each 
ol user site 105a, central proxy system 110a and a plu- 
rality of illustrative server sites 110b. 110c, and 110g ac- 
cording to an exemplary marker proxy embodiment of 
the present invention. As described above, the central 
proxy system of the present invention may be employed 
in at least two configurations, namely, a central proxy 
configuration (FIGURE 2) or a peripheral proxy config- 
uration (FIGURE 5). 

In the central proxy configuration, central proxy sys- 
tem 110a computes substitute identifiers. An implemen- 
tation of this configuration may require user site 105ato 
provide one or more user definable character strings (e. 
p., user identification, password and other secret infor- 
mation) once : and central proxy system 11 0a will there- 
after generate the substitute identifiers as needed. Cen- 
tral proxy system 110a may associate the user definable 
character strings with a series ol HTTP requests gener- 
ated by the same user site 105a - the central proxy sys- 
tem 110a may associate each request with a session, 
that contains all communication between a specific user 
site 105a and the central proxy system 110a. 

The HTTP protocol however does not generally di- 
rectly support sessions or relationships between re- 
quests. More particularly, each HTTP request may be 
sent a new socket connection, and there is no required 
HTTP header field that can link successive requests 
from the same user. 

It should be noted that the session identification is 
typically not necessary in the peripheral proxy configu- 
ration since central proxy system 110a may forward 
communications without any computation. In a typical 
embodiment, peripheral proxy system 120 retransmits 
browsing commands received from user site 105a to 
central proxy system 11 0a, which then retransmits such 
commands to server site 11 Og. According to one em- 
bodiment, peripheral proxy system 120 removes and, 
possibly, substitutes portions of the browsing com- 
mands that would identify user site 105a to server site 
110g. 

In one advantageous embodiment user site 105a 
runs a marker program 605 locally. Marker program 605 
operates to tag user site 1 05a's requests with a session 
tag, r. Central proxy system 110a uses this tag to identify 
requests belonging to a particular one of a group of us- 
ers. Marker program B05 may be implemented to store 
user site 105a's session tag and add this tag to all re- 
quests, and central proxy system 110a removes the ses- 
sion tag before forwarding the request to some server 
site. The session tag should be unique, as no two users 
should have the same tag. 


It should be noted that NETSCAPE® uses "cookies, 
" which are a mechanism for storing and retrieving long 
term session information (the use of "cookies" concep- 
tually is known). The cookies are generated by the 

5 browsed servers and are associated with a specific do- 
main name. Browsers 300 submit the cookies associat- 
ed with a specific domain name whenever the user re- 
visits that domain. Servers typically only generate cook- 
ies associated with their domain. Cookies provide an 

10 easy mechanism to keep session information, such as 
the contents of a "shopping cart, - account name, pass- 
word, event counters, user preferences. e1c. 

Some companies, use cookies extensively to track 
users and their habits. Since the proxy systems of the 

15 present invention present substitute identifiers to 
browsed servers, the servers cannot learn true user 
identities. Thus all of the information that the server may 
store in its cookie relates to some "alias persona,* and 
not to the true user. Whenever the user returns to the 

to same server, it will present the same substitute identifi- 
ers, and may also submit the cookie thatthe server gen- 
erated earlier for this alias persona. 

It is apparent from above, that the present invention 
provides, for use with a network having user sites and 

£5 server sites, wherein the server sites are capable of be- 
ing browsed by the user sites based on identifiers re- 
ceived into the server sites and personal to the user 
sites, both a centra! and a peripheral proxy system for 
providing consistent substitute identifiers to the server 

30 sites that allow the user sites to browse the server sites 
in an anonymous and personal fashion via the proxy 
system. 

An exemplary central proxy system includes: (1 ) an 
executable first routine that processes site-specific sub- 

35 stitute identifiers constructed from data specific to the 
user sites, (2) an executable second routine that trans- 
mits the substitute Identifiers to the server sites and 
thereafter retransmits browsing commands received 
from the user sites to the server sites and (3) an execut- 

*o able third routine that removes (and possibly substi- 
tutes) portions of the browsing commands that would 
identify the user sites to the server sites. 

An exemplary peripheral proxy system includes: (1 ) 
an executable first routine that constructs a particular 

45 substitute identifier from data received from a particular 
user site and (2) an executable second routine that 
transmits the particular substitute identifier to a central 
proxy system, the central proxy system then retransmit- 
ting the particular substitute identifier to the server site 

50 and thereafter retransmitting browsing commands re- 
ceived from the particular user site to the server site. 

Although the present invention has been described 
in detail, those skilled in the art should understand that 
they can make various changes, substitutions and alter- 

ss ations herein without departing from the scope of the 
invention In Its broadest form. More particularly It should 
be apparent to those skilled in the pertinent art that the 
above-described routines are software-based and exe- 
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cutable by a suitable conventional computer system/ 
network. Alternate embodiments of the present inven- 
tion may also be suitably implemented, at least in part, 
in firmware or hardware, or some suitable combination 
ol at least two of the three. Such firmware-or hardware 
embodiments may include mufti, parallel and distributed 
processing environments or configurations, as well as 
alternate programmable logic devices, such as pro- 
grammable array logic ("PALs") and programmable log- 
ic arrays ("PLAs"), digital signal processors ('DSPs'), 
field programmable gate arrays ('FPGAs'), application 
specific integrated circuits ("ASICs"), large scale inte- 
grated circuits ("LSIs"), very large scale integrated cir- 
cuits ("VLSIs") or the like - to form the various types of 
modules, circuitry, controllers, routines and systems de- 
scribed and claimed herein. 

Conventional computer system architecture is more 
fully discussed in The Indispensable PC Hardware 
Book s by Hans-Peter Messmer, Addison Wesley (2nd 
ed. 1995) and Computer Organization and Architecture, 
by William Stallings, MacMillan Publishing Co. (3rd ed. 
1993); conventional computer, or communications, net- 
work design is more fully discussed in Data Network De- 
sign, by Darren L Spohn, McGraw-Hill, Inc. (1993); and 
conventional data communications is more fully dis- 
cussed in Voice and Data Communications Handbook, 
by Bud Bates and Donald Gregory, McGraw-Hill, Inc. 
(1996), Oafa Communications Principles, by R. D. Gitlin, 
J. F. Hayes and S. B. Weinstein, Plenum Press (1992) 
and The Irwin Handbook of Telecommunications, by 
James Harry Green, Irwin Professional Publishing (2nd 
ed. 1992). 


Claims 

1. A central proxy system lor coupling to a network and 
for allowing users to browse server sites on said 
network anonymously via said central proxy sys- 
tem, sad central proxy system comprising: 

a computer-executable first routine that proc- 
esses site-specific substitute identifiers con- 
structed from data specific to said users; 
a computer-executable second routine that 
transmits said substitute identifiers to said serv- 
er sites and thereafter retransmits browsing 
commands received from said users to said 
server sites; and 

a computer-executable third routine that re- 
moves portions of said browsing commands 
that would identify said users to said server 
sites. 

2. The central proxy system as recited in Claim 1 
wherein said data comprises identification data and 
a user definable character string supplied by said 
users. 


3. The central proxy system as recited in Claim 1 
wherein said site-specific substitute identifiers com- 
prise site-specific substitute user names and site- 
specific substitute user passwords. 

s 

4. The central proxy system as recited in Claim 1 
wherein said first routine constructs site-specific 
substitute electronic mail addresses for said users 
from said data. 

10 

5. The central proxy system as recited in Claim 1 
wherein said first routine constructs said site-spe- 
cific substitute identifiers from addresses of said 
server sites. 

15 

6. The central proxy system as recited in Claim 1 
wherein said server sites are World Wide Web sites 
capable of presenting web pages to said users, said 
second routine transmitting said substitute idem if i- 

20 ers to said server sites under direction of said users. 

7. The central proxy system as recited in Claim 1 
wherein said second routine transmits said substi- 
tute identifiers to said server sites based on alpha- 

ss numeric codes supplied in web page fields by said 
users. 

8. The central proxy system as recited in Claim 7 
wherein said alphanumeric codes are arranged in 

30 escape sequences. 

9. The central proxy system as recited in Claim 7 
wherein said users manually place said alphanu- 
meric codes in said web page fields. 

35 

10. The central proxy system as recited in Claim 9 
wherein said central proxy system communicates 
with computer-executable local routines associated 
with said users, said local routines constructing said 

40 site-specific substitute identifiers from data specific 
to said users. 

11. The central proxy system as recited in Claim 1 fur- 
ther comprising a data store capable of containing 

4* electronic mail destined for said users. 

12. The central proxy system as recited in Claim 1 
wherein said first routine processes substitute iden- 
tifiers constructed by applying pseudo-random and 

50 hash functions to said data received from said us- 
ers. 

13. The central proxy system as recited in Claim 1 fur- 
ther comprising a data store capable of containing 

ss electronic mailboxes for said users and specific to 
said server sites. 

14. The central proxy system as recited in Claim 13 
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wherein each of said electronic mailboxes hasa key 
associated therewith, said key being a function of 
said data and an index number. 

15. The central proxy system as recited in Claim 1 fur- 
ther comprising a computer-executable routine 
that, given said substitute identifiers, collects elec- 
tronic mail destined for said users and contained 
within a plurality of site-specific electronic mailbox- 
es. 

16. The central proxy system as recited in Claim 1 
wherein said first routine receives session tags add- 
ed to said browsing commands, said central proxy 
system employing said session tags to associate 
said substitute identifiers with each ot said browsing 
commands. 

17. The central proxy system as recited in Claim 1 fur- 
ther comprising a data store capable of containing 
session information specific to said users and ac- 
cessible by said server sites. 

18. The central proxy system as recited in Claim 1 fur- 
ther comprising a data store capable of containing 
electronic payment information, said users employ- 
ing said electronic payment information to engage 
in anonymous commerce with said server sites. 

19. The central proxy system as recited in Claim 1 fur- 
ther comprising an initializing routine that con- 
structs said site-specific substitute identifiers from 
data specific to said users and communicates said 
site-specific substitute identifiers to said first rou- 
tine. 

20. A peripheral proxy system tor coupling to a network 
and for al towing at least one user to browse a server 
site on said network anonymously via a central 
proxy system, said peripheral proxy system com- 
prising: 

a computer-executable lirst routine that con- 
structs a particular substitute identifier Irom da- 
ta received from a particular user; and 
a computer-executable second routine that 
transmits said particular substitute identifier to 
said central proxy system, said central proxy 
system retransmitting said particular substitute 
identifier to said server site and thereafter re- 
transmitting browsing commands received 
from said particular user to said server site. 


22. The peripheral proxy system as recited in Claim 20 
wherein said particular substitute identifier compris- 
es a particularsubstitute username and a particular 
substitute user password. 

s 

23. The peripheral proxy system as recited in Claim 20 
wherein said first routine constructs a particular 
substitute electronic mail address for said particular 
user from said data. 

10 

24. The peripheral proxy system as recited in Claim 20 
wherein said first routine constructs said particular 
substitute identifier from an address of said server 
site, said particular substitute identifier therefore 

*s being specific to said server site. 

25. The peripheral proxy system as recited in Claim 20 
wherein said server site is a World Wide Web site 
capable of presenting at least one web page to said 

20 users, said central proxy system transmitting said 
particularsubstitute identifierto said server site un- 
der direction of said particular user. 

28. The peripheral proxy system as recited in Claim 20 
2£ wherein said central proxy system said particular 
substitute identifier to said server site based on al- 
phanumeric codes supplied in web page fields by 
said user. 

30 27. The peripheral proxy system as recited in Claim 26 
wherein said alphanumeric codes are arranged in 
escape sequences. 

28. The peripheral proxy system as recited in Claim 20 
35 wherein said central proxy system further compris- 
es a computer-executable third routine that re- 
moves portions ol said browsing commands that 
would identify said particular user to said server 
site. 

40 

29. The peripheral proxy system as recited in Claim 28 
wherein said first and second routines are execut- 
able on a computer system associated with said 
particular user and said central proxy system is a 

4S computer system having a network address differ- 
ent from said computer system associated with said 
particular user. 

30. The peripheral proxy system as recited in Claim 20 
so wherein said central proxy system lurther compris- 
es a data store capable of containing electronic mail 
destined for sab particular user. 


21 . The peripheral proxy system as recited in Claim 20 
wherein said data comprises identification data and 55 
a user definable character string supplied by said 
particular user. 


31. The peripheral proxy system as recited in Claim 20 
wherein said first routine constructs said particular 
substitute Identifier by applying pseudo-random 
and hash functions to said data received from said 
particular user. 
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32. The peripheral proxy system as recited in Claim 20 
wherein said central proxy system further compris- 
es a data store capable of containing an electronic 
mailbox for said particular user and specific to said 
server site. 

33. The peripheral proxy system as recited in Claim 32 
wherein said electronic mailbox has a key associ- 
ated therewith, said key being a function of said da- 
ta and an index number. 

34. The peripheral proxy system as recited in Claim 20 
wherein said central proxy system further compris- 
es a computer-executable routine that, given said 
particular substitute identifier, collects electronic 
mail destined for said particular user and contained 
within at least two electronic mailboxes. 

35. The peripheral proxy system as recited in Claim 20 
wherein said central proxy system further compris- 
es a computer-executable marker routine that adds 
session tags to said browsing commands, said 
proxy system employing said session tags to asso- 
ciate said particular substitute identifier with each 
of said browsing commands. 

36. The peripheral proxy system as recited in Claim 20 
wherein said central proxy system further compris- 
es a data store capable of containing session infor- 
mation specific to said particular user and accessi- 
ble by said server site. 

37. The peripheral proxy system as recited in Claim 20 
wherein said central proxy system further compris- 
es a data store capable ol containing electronic pay- 
ment information, said particular user employing 
said electronic payment information to engage in 
anonymous commerce with said server site. . 

38. A method for use with a network having a server 
site capable of being browsed by users and for al- 
lowing said users to brows© said server site on said 
network anonymously via said proxy system, said 
method comprising the steps of: 

constructing a particular substitute identifier 
from data received from a particular user; 
transmitting said particular substitute identifier 
to said server site; and 

thereafter retransmitting browsing commands 
received from said particular user to said server 

site. 

39. The method as recited in Claim 38 wherein said da- 
ta comprises identification data and a user defina- 
ble character string supplied by said particular user. 

40. The method as recited in Claim 3B wherein said par- 


ticular substitute identifier comprises a particular 
substitute user name and a particular substitute us- 
er password. 

5 41 . The method as recited in Claim 38 further compris- 
ing the step of constructing a particular substitute 
electronic mail address for said particular user from 
said data. 

io 42. The method as recited in Claim 38 wherein said 
step of constructing comprises the step of con- 
structing said particular substitute identifier from an 
address of said server site, said particular substitute 
identifier therefore being specific to said server site. 

15 

43. The method as recited in Claim 38 wherein said 
server site is a World Wide Web site capable of pre- 
senting at least one web page to said users, said 
method further comprising the step of transmitting 

2* said particularsubstitute identifier to said server site 
under direction of said particular user. 

44. The method as recited in Claim 38 wherein said 
step of transmitting comprises the step of transmit- 

2S ting said particular substitute identifierto said server 
site based on alphanumeric codes supplied in web 
page fields by said user. 

45. The method as recited in Claim 44 wherein said al- 
so phanumeric codes are arranged in escape se- 
quences. 

46. The method as recited in Claim 38 further compris- 
ing the step of removing portions of said browsing 

35 commands that would identify said particular user 
to said server site. 

47. The method as recited in Claim 46 wherein said 
step of constructing is performed on a computer 

40 system associated with said particular user and 
said steps of transmitting and thereafter transmit- 
ting are performed on a computer syslem having a 
network address different from said computer sys- 
tem associated with said particular user. 

45 

48. The method as recited in Claim 38 further compris- 
ing the step of storing electronic mail destined for 
said particular user. 

so 49. The method as recited in Claim 38 wherein said 
step ol constructing comprises the step of applying 
pseudo-random and hash functions to said data re- 
ceived from said particular user. 

55 50. The method as recited in Claim 38 further compris- 
ing the step of creating an electronic mailbox for 
said particular user and specific to said server site. 


40 
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51. The method as recited in Claim 50 wherein said 
electronic mailbox has a key associated therewith, 
said key being a function of said data and an index 
number. 

s 

52. The method as recited in Claim 38 further compris- 
ing the step of collecting electronic mail destined for 
said particular user and contained within at least 
two electronic mailboxes given said particular sub- 
stitute identifier. 10 

53. The method as recited in Claim 38 further compris- 
ing the step of adding session tags to said browsing 
commands, said proxy system employing said ses- 
sion tags to associate said particular substitute 1S 
identifier with each of said browsing commands. 

54. The method as recited in Claim 38 further compris- 
ing the step of storing session information specific 

to said particular user and accessible by said server 20 
site. 

55. The method as recited in Claim 38 further compris- 
ing the step of storing electronic payment informa- 
tion, said particular user employing said electronic 2$ 
payment information to engage in anonymous com- 
merce with said server site. 
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Welcome to Janus! 


Janus is a system &r personalized anonymous Web access. 

Janus gmerates consistent untraceable aliases for vou from the 
information you provide in this page. Janus neither stores this 
information nor passes it to any server. Consequentially, Janus does 
not authenticate you. You must provide the same information in future 
sessions to generate the same aliases. 

You will see this form only once at the beginning of the session. You 
cannot change the input to Janus during the rest of your session, 
unless Janus delects that it fails to authenticate ycu. 

The pair <user na.-ne, alias-seed> should be unique among all Janus users. You can use your 
E-mail address as your name to reduce chance of collision with other users. Janus will not pass 
your name to any serrer. Maximal size for user name and seeds is 1000 characters each. 


Enter your user name [use your E-mail address): 


] 


Enter your secret must contain at least 8 characters): 


Verity your secret by typing it again: 
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Click has for more information about Janus. 
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If you have already registered, continue to the hotre pap . If 
you've registered, but are having problems entennj the site, 
consult our help section . 

Choose a Subscriber ID for The New York Tribune on the 
Web: 


<□□□□> 


] Minimum five characters 


Choose a password: 

r 


Minimum five characters 


Reenter password for confirmation: 


Enter your e-mail address; 


]<£DQ£) 


fan . 


FIG. 4 


18 


EP0 855 659 A1 



19 


EP 0 855 659 A1 



20 


EP 0 855 659 A1 



European Patent 
Office 


EUROPEAN SEARCH REPORT 


Application Number 

EP 98 30 0205 


DOCUMENTS CONSIDERED TO BE RELEVANT 


Category 


Citation of document with indention, where appropriate, 
of relevant pat Bag aft 


Relevant 
tocfaim 


CLASSIFICATION OF THE 
APPLICATION (tnLCLfl) 


P.X 


P.A 


E. GABBER ET AL: *How to make 
Personalized Web Browsing Sirrple, Secure 
and Anonymous 11 

FINANCIAL CRYPTOGRAPHY - FIRST 
INTERNATIONAL CONFERENCE (FC '97), 
24 - 28 February 1997, AHGU1LLA, BRITISH 
WEST INDIES, 

pages 17-31, XPG92059B19 

* the whole document * 

WO 97 15885 A (OPEN MARKET, INC.) 

* the whole document * 

R. L. SCHWARTZ: "How to be Virtually 

Anonymous" 

WEB TECHNIQUES, 

vol- 2, no. 2, February 1997 , US, 
pages 30-33, XPO02O5982G 

* the whole document * 

P. E. SYVERSON ET At: "Private Web 
browsing" 

JOURNAL OF COMPUTER SECURITY, 
vol. 5, no. 3, 1997, NL t 
pages 237-248, XP902G59821 

* the whole document * 

P. F. SYVERSON ET AL: "Anonymous 
Connections and Onion Routing 0 
1997 IEEE SYMPOSIUM ON SECURITY ANO 
PRIVACY 

4 - 7 May 1997, OAKLAND, CA, US, 
pages 44-54, XP0O2959B22 

* the whole document * 


1-55 


G06F17/30 


1-55 


1-55 


1-55 


TECHNICAL f IEIDS 
SEARCHED (IntCLfi) 


GQ6F 


Tli. preaant March report ha* be«n drawn up lor all claims 


1-55 


BERLIN 


Oat* of completion of Ihe enrzh 

7 April 1998 


Abram, R 


CATEGORY OF CITED DOCUMENTS 

Y : partoolarty relevant* combined with another 

dootmxwit of the aame category 
A : technologic*] background 

D: 
P: 


T : theory or pmapb undoing the invention 
E : earlier patent document, but pubfiihad on, or 

after tha filing date 
D : dooument oiled in th* appfuwtoo* 
L : doourrwnl okmd for crthv nnoM 


4 : member of the »ante patent tamlty, correepondlng 


21 


